CVE-2026-27655
Stored XSS in ManageEngine Exchange Reporter Plus Mailbox Report
Publication date: 2026-04-03
Last updated on: 2026-04-03
Assigner: ManageEngine
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zohocorp | manageengine_exchange_reporter_plus | 5.8 |
| zohocorp | manageengine_exchange_reporter_plus | 5.8 |
| zohocorp | manageengine_exchange_reporter_plus | to 5.8 (exc) |
| zohocorp | manageengine_exchange_reporter_plus | 5.8 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27655 is a stored Cross-Site Scripting (XSS) vulnerability found in the ManageEngine Exchange Reporter Plus software, specifically in the "Permissions Based on Mailboxes" report within the Reports module.
This vulnerability affects versions 5801 and earlier of Exchange Reporter Plus. An authenticated attacker with Exchange administrative privileges can exploit this flaw by injecting malicious scripts into the report.
When other users access the compromised report, the malicious scripts execute under their privileges, potentially allowing unauthorized actions within the Exchange environment.
The issue was fixed in version 5802 by implementing proper input validation to prevent script injection.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized operations within your Exchange environment.
An attacker with Exchange administrative privileges can inject malicious scripts into mailbox permission reports, which execute when viewed by other users.
This could allow the attacker to perform actions on behalf of other users, potentially compromising sensitive data or altering configurations.
Because the vulnerability involves stored XSS, it can persist and affect multiple users who access the affected report.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-27655 vulnerability, users should update their Exchange Reporter Plus installations to version 5802 or later, as this version includes a fix that implements proper input validation to prevent script injection.
If updating immediately is not possible, users should restrict access to the "Permissions Based on Mailboxes" report to trusted administrators only, as exploitation requires authenticated Exchange administrative privileges.
For further assistance with updating or mitigation, contacting product support or the security team is recommended.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the stored XSS vulnerability in ManageEngine Exchange Reporter Plus directly impacts compliance with common standards and regulations such as GDPR or HIPAA.